CrossAuth – Documentation
CrossAuth is a hybrid Minecraft authentication plugin that allows premium (online-mode) and cracked (offline-mode) players to coexist with separate authentication flows and shared security features.

⚙️ How It Works
Premium Players

1. Player joins the server.
   
   
2. On first join, they must run /cpre to verify premium status.
   
   
3. After successful verification, their UUID is saved, and future logins are automatic.

Cracked Players

1. Player joins the server.
   
   
2. If not registered, they must use /register <password> <confirm_password>.
   
   
3. On future logins, they use /login <password>.
   
   
4. Passwords are hashed using BCrypt.

Commands
Command Description Permission
/register <password> <confirm> Register an account (cracked only) crossauth.register
/login <password> Login to your account crossauth.login
/cpre Verify premium status (one-time) crossauth.premium
Security Features

• Blindness, inventory lock, and spawn teleport until login
  
  
• Command/chat/movement blocking before authentication
  
  
• Max login attempt limit (configurable)
  
  
• Cooldown for failed logins
  
  
• Session saved by UUID + IP
  
  
• BCrypt password storage

Configuration
File Location: /plugins/CrossAuth/config.yml

yaml
auth:
max-login-attempts: 3
login-cooldown-minutes: 5
session-duration-hours: 24
allow-same-ip-session: true

player:
apply-blindness: true
teleport-to-spawn: true
spawn-duration-seconds: 1

messages:
prefix: "&8[&bCrossAuth&8] &r"
register-success: "&aSuccessfully registered!"
login-success: "&aLogged in!"
login-failed: "&cInvalid password. %attempts% left."
login-cooldown: "&cToo many attempts. Wait %cooldown% mins."
premium-success: "&aPremium verified!"

Data Storage

• Premium status saved in premium-players.yml
  
  
• Cracked user passwords & IPs saved in users/
  
  
• BCrypt hashing is used for cracked passwords

Compatibility

• PaperMC / Spigot 1.21+
  
  
• Java 21 or higher
  
  
• Works with Geyser/Floodgate (recommended to set premium to offline mode for Geyser)

Developer Tips

• Plugin listens to PlayerJoinEvent to restrict actions until login.
  
  
• Premium UUIDs are matched using GameProfile.getId() from Mojang session servers.
  
  
• Cracked accounts always use usernames for local authentication.
  
  
• Use CrossAuthAPI#isAuthenticated(Player) in your own plugins to check login state.

Support & Contributions

• Email: [email protected]
  
  
• Discord: [Join](https://discord.gg/bAEr2dxB4Q)

License
CrossAuth is closed-source proprietary software created by RealKanxa. You may use it on personal or commercial servers, but you may not distribute, modify, or sell without explicit permission.